Impact
If successful login attempts are recorded, the raw tokens are stored in the log table.
If a malicious person somehow views the data in the log table, he or she can obtain a raw token, which can then be used to send a request with that user's authority.
When you (1) use the following authentiactors,
and you (2) log successful login attempts, the raw tokens are stored.
Patches
Upgrade to Shield v1.0.0-beta.8 or later.
Workarounds
Disable logging for successful login attempts by the configuration files.
- AccessTokens or HmacSha256
- Set
Config\AuthToken::$recordLoginAttempt to Auth::RECORD_LOGIN_ATTEMPT_FAILURE or Auth::RECORD_LOGIN_ATTEMPT_NONE
- JWT
- Set
Config\AuthJWT::$recordLoginAttempt to Auth::RECORD_LOGIN_ATTEMPT_FAILURE or Auth::RECORD_LOGIN_ATTEMPT_NONE
References
For more information
If you have any questions or comments about this advisory:
Impact
If successful login attempts are recorded, the raw tokens are stored in the log table.
If a malicious person somehow views the data in the log table, he or she can obtain a raw token, which can then be used to send a request with that user's authority.
When you (1) use the following authentiactors,
tokens)jwt)hmac)and you (2) log successful login attempts, the raw tokens are stored.
Patches
Upgrade to Shield v1.0.0-beta.8 or later.
Workarounds
Disable logging for successful login attempts by the configuration files.
Config\AuthToken::$recordLoginAttempttoAuth::RECORD_LOGIN_ATTEMPT_FAILUREorAuth::RECORD_LOGIN_ATTEMPT_NONEConfig\AuthJWT::$recordLoginAttempttoAuth::RECORD_LOGIN_ATTEMPT_FAILUREorAuth::RECORD_LOGIN_ATTEMPT_NONEReferences
For more information
If you have any questions or comments about this advisory: